The US OFAC has recently sanctioned a cryptocurrency “mixer” for alleged use in money-laundering.
It is the first time the OFAC has sanctioned a software protocol, rather than an individual or legal entity.
The decision has implications for the development of Web3.
In August 2022, the Office of Foreign Assets Control (OFAC) of the United States Treasury Department sanctioned a cryptocurrency “mixer” – programmes used to increase the anonymity of crypto transactions – for its alleged use in money-laundering. It also blacklisted a number of Ethereum addresses associated with the protocol. The sanctioning and the corresponding response by affected actors stirred up intense debate in cryptocurrency circles and beyond about how permissionless protocols should be regulated.
What are the OFAC sanctions?
The OFAC administers trade and economic sanctions on countries and persons (both natural and legal) involved in activities that threaten the security or financial stability of the US – such as terrorism, drug trafficking and money-laundering.
One of its primary tools is the Specially Designated Nationals and Blocked Persons List (SDN): a list of its sanctioned individuals and legal entities. Sanctioned persons have their assets under US jurisdiction frozen, and US persons are, in general, prohibited from dealing with sanctioned persons. By walling off sanctioned persons from the US financial system, it becomes very hard for such persons to do international business, especially so while transacting in USD. This is not the OFAC’s first brush with the crypto space, it having previously sanctioned crypto companies or protocols controlled by centralized entities. However, the recent move represents the first time a non-individual or non-entity has been sanctioned, creating an unclear precedent for open-source protocols that are in essence pieces of code/software or technological tools used to some end.
The impact of the OFAC sanctions is that anyone/any wallet (read US persons and businesses, and indirectly, citizens and institutions of other countries that have a relationship with US persons or businesses) that interacts with the sanctioned entity/protocol and the mentioned Ethereum addresses would be strictly liable under US law. Since the OFAC announcement, stakeholders in the ecosystem have been divided over the appropriateness and feasibility of the sanctions.
How will the decision shape Web3?
Web3 – the vision of a new, better internet – is often characterized by the guiding principles of being decentralized, permissionless and trustless. Instead of a few central players monopolizing the web, the aim is for the community of users to build, operate and own the web – which potentially entails a fairer distribution of value generated across participants. While Web3 presents novel ways of coordinating activities across jurisdictions more effectively and fairly, and of preserving privacy and ownership of assets and data, it also brings with it regulatory concerns especially relating to money-laundering, consumer protection and financial stability.
OFAC sanctions announcement highlights the need for the Web3 ecosystem to collectively focus on developing solutions that are preventive and curative. Image: Chainanalysis
In light of several large-scale hacks and exploits, especially where crypto mixers have been used to whitewash funds, the aforementioned OFAC sanctions announcement highlights the need for the Web3 ecosystem to collectively focus on developing solutions that are preventive and curative, i.e. prevent bad actors from misusing the technology and enforcing penalties where such bad actors/actions are identified. On the other hand, the sanctions mark the first time a non-person/open-source software (not a natural or legal person) has been added to the SDN, raising questions about the proportionality of the measure.
How are permissionless protocols meeting the compliance requirements?
In the aftermath of the OFAC sanctions, “permissionless” protocols have scrambled to fulfill compliance requirements in different ways. Permissionless blockchains and protocols are characterized by their open access for use by anyone without authorization, as well as their censorship resistance, in that it is impossible or exceedingly difficult to prohibit transactions to or from a user. This is because the smart contracts underlying such protocols are “immutable” – or in other words, the data they store cannot be tweaked.
When faced with sanctions compliance requirements, decentralized finance (DeFi) protocols often use blockchain forensics and analytics tools to block addresses that interacted with the sanctioned entity/addresses from using the protocols’ front-end web applications. While such an action prevents a blacklisted address from associating with the front-end user interface or application used to interact with the protocol’s smart contract, tech-savvy individuals (such as hackers) can instead use a “call function” to directly access the smart contract and bypass the front-end application, including its blacklisting measures. Thus, blacklisted addresses are able to continue using such protocols even once blacklisted at the application level. Yet, blacklisting does prevent average, non-technical users from interacting with the protocol when such users are dusted with sanctioned funds.
Though not as common, some permissionless protocols may choose to incorporate a blacklist function – not at the application level, but directly into their smart contracts. This allows specified sanctioned addresses to be blocked at the smart contract level, thus introducing elements of centralization in an otherwise permissionless ecosystem.
As such, sanctioning a decentralized permissionless protocol, while failing to ensure its demise, tends to make the protocol inaccessible for the average user and reduces its network effects as various actors seek to comply with the regulations.
Could the decision have unintended consequences?
Since sanctions rely on proactive enforcement by banks and other financial institutions, such entities may err on the side of caution and be overly restrictive with their compliance measures.
Depending upon specific circumstances, non-compliant institutions could find themselves blocked from participation in the global financial system. As such, it may result in shutting out new Web3 users, while potentially de-platforming existing ones. Know-your-business requirements for Web3 companies could become more stringent, again making it harder for such companies to access fiat banking.